So despite the headlines about bitcoin exchanges heists and cryptojacking - malware that turns endpoints into miners designed to computationally generate bitcoins, ether, monero and other cryptocurrency - when it comes to generating illicit profits, ransomware remains alive and well.

"As often happens in the world of cybercrime, old threats stay with us for ages, and new threats simply add themselves to the mix rather than taking over," Paul Ducklin, a security researcher at anti-virus firm Sophos, says in a blog post.

The number of unique ransomware families or unique variants seen per year. (Source: F-Secure)

Some ransomware attackers have been refining their efforts by focusing on high-value targets that they think are more likely to pay large ransoms.

"Ransomware campaigns have historically been opportunistic in nature, infecting anyone they can via spam emails, exploit kits and malvertising," according to a new ransomware report from Finnish security firm F-Secure.

"But many cybercriminals are becoming more selective in their targets, and tailor their techniques to infect businesses or other organizations," it says. "Targeting organizations is fairly lucrative compared to infecting individual users because ransoms are typically set per device."

SamSam Targets Organizations

That tactic has been seen in particular with whoever is behind SamSam ransomware, which has been tied to at least eight outbreaks in the United States this year, triggering an alert from the cybersecurity center at the U.S. Department of Health and Human Services (see HHS Warns of SamSam Ransomware Attacks).

Instead of attackers using shotgun-like tactics to indiscriminately lob crypto-locking malware at consumers and organizations en masse, Sophos says the SamSam gang at least has been getting much more targeted.

"Instead of blasting out one copy of the malware to thousands of potential victims over a day or two, the crooks blast thousands of copies of the malware onto computers inside a single organization, pretty much all at once ... and then, almost casually, they offer a 'volume discount' to fix the entire company in one fell swoop," Ducklin says.

Ransomware as a Business

SamSam first appeared in 2016 and has continued to get updated.

Early this year, Cisco's Talos security group reported seeing a new variant that was being used, apparently in highly targeted attacks against government, healthcare and industrial control system vendor targets.

"Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold," reported Vitor Ventura, a senior security researcher at Cisco Talos, in a January blog post.

Hackers often use brute-force attacks against weak remote desktop protocol or virtual network computing credentials - or purchase those credentials via cybercrime forums - to gain easy access to targeted networks, security experts say. After spending weeks or months exploring breached networks and looking for valuable information, attackers may crypto-lock the systems as the final stage of their attack in an attempt to increase their profits (see Hackers Exploit Weak Remote Desktop Protocol Credentials).

SamSam's Volume Discount for Decryption

The batch file also allows attackers to set their price points for each attack. In one attack, the price was set at 0.8 bitcoins to unlock individual, crypto-locked hosts, or 5 bitcoins to unlock them all. As of Wednesday, that would work out to $7,300 to unlock an individual system or $46,000 to unlock them all.

To demonstrate their supposedly good intensions, "SamSam adversaries offer free decryption of two files and an additional free key to decrypt one server," according to Cisco Talos.

But attackers also warn that they're not offering any "get out of jail for free" cards. "Once again, SamSam actors show their ability to monitor and laterally move through the network by pointing out they will only provide a key if they believe the server is not an important piece of infrastructure," according to Cisco Talos.

Who's Paying Attackers?

Law enforcement and security experts have long recommended that organizations never pay ransoms, because they directly fund cybercrime, encourage criminals to keep attacking, and can even result in the same victims being crypto-locked and extorted multiple times, once criminals learn of their propensity to pay (see Please Don't Pay Ransoms, FBI Urges).

Defending against ransomware attacks requires preparation, including ensuring that organizations maintain complete, current and easily recoverable backups, stored offline so they cannot be encrypted by ransomware. Many organizations, however, do not appear to focus on these disaster recovery essentials until they have already suffered a ransomware outbreak. In addition, restoration is not an instantaneous process. Organizations that have up-to-date backups still face days or weeks of effort to wipe and restore affected systems, and can see profits - or in the case of healthcare organizations, patient care - suffer in the interim.

So it's no surprise that multiple studies have found that a significant number of ransomware victims do pay a ransom, meaning that infecting PCs and servers with crypto-locking malware appears to remain a lucrative cybercrime endeavor. Indeed, some security experts suggest that ransomware profits for criminals have exceeded the $1 billion mark (see I Believe in Cybercrime Unicorns).

"According to a 2017 study from Australian telecommunications company Telstra, approximately 57 percent of businesses in the Asia-Pacific region dealt with ransomware infections by paying," F-Secure says. "A similar study published in 2016 found that 70 percent of organizations paid. But some estimates are more conservative, with a 2018 survey finding that only about 40 percent of companies paid the ransom - with only about half of those getting their data back."

SamSam has also been seeing profits from its ransomware efforts. In January, Hancock Health reported that it had paid the gang 4 bitcoins, worth about $55,000 at the time, to receive a decryption key that did enable it to unlock its crypto-locked systems.

The ID Ransomware site now counts 577 types of ransomware, of which there can be numerous variants.

Michael Gillespie, the self-described "ransomware hunter" behind ID Ransomware, told Information Security Media Group earlier this year that his count of new ransomware appears to be slowing, although new variants are still emerging at an appreciable rate.

"I'd say it has been slowing down a little, just because I don't add every little in-dev thing we spot anymore," he said. For example, "the number displayed on IDR actually doesn't include all the little strains of HiddenTear - they are all identified just under 'HiddenTear.' I only separate off a HiddenTear-based ransomware if it's something really unique."

Hidden Tear is open source, proof-of-concept ransomware published to GitHub by Turkish programmer Utku Sen in August 2015. Sen said his intentions were educational, and ever since then, attackers have been using it to school victims (see Ransomware Gets Pokémon Go Treatment).

Low Barriers to Entry

But Hidden Tear is just one of many different options. Thanks to the effectiveness of ransomware at generating profits, anyone who wants to use it to generate illicit profits can tap one of numerous options now available via cybercrime forums (see Want to Get Into Ransomware? This Kit Costs Just $175).

One reason ransomware development has increased so dramatically - in addition to its popularity - is the degree of support it's received from cybercriminals, F-Secure says. "The availability of ransomware-as-a-service offerings, such as Cerber and Satan, and open source projects, such as HiddenTear and EDA2, make ransomware accessible to attackers that lack the skills or resources to develop their own malware from scratch. And supporting infrastructure, such as exploit kits and spam services, are readily available for rent or purchase by these adversaries."

For cybercriminals, in other words, ransomware business keeps booming.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;